Enterprise Mobility, System Center, Cloud & Datacenter Management

Widgets

Search

about.me

Enterprise Mobility, System Center & Cloud Services

As consultant and Microsoft MVP I work for Inovativ, a Dutch IT company specialized in Enterprise Mobility, System Center, Cloud & Data Center Management. My primary focus is on MicrosoftTechnologies with Enterprise Mobility Suite, System Center and Microsoft Azure as main competences. As a trainer I'm providing Microsoft courses and being active in the community as blogger, & member of System Center User Group NL. Furthermore I'm a speaker at international community events like TechDays, Experts Live and user group meetings.

IPSec

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Like this:

One of the considerations for DirectAccess planning is to decide which DNS names should be resolved internally, by your organization’s internal DNS servers, and which should be resolved externally, using an external (ISP) DNS server configured for your computer’s network interface. This distinction about which DNS server to send each query to is configured on a Windows 7 or Windows Server 2008 R2 computer using entries in the DNS Client resolver’s Name Resolution Policy Table (NRPT).

It’s recommended to use Edge Server role rather than VPN, IPSEC etc. protocols. There is an overhead and added latency when these protocols are used. The Audio/Video and media traffic is highly sensitive to latency and jitter. If you add additional encryption, it will cause delay, because it’s needed to process the traffic on client AND server side for encrypt and decrypt the data. If the traffic goes through DirectAccess network path, it can cause a long delay, jitter. Because the sensivity of A/V and media.

Without split-brain DNS, there is a natural dividing line between the DNS queries that DirectAccess and the NRPT should send to internal DNS and those that should stay on the internet. But beware! If you have split-brain DNS you may need to make some special allowances for DNS queries that should stay on the internet. Continue reading →